Expanded charges link three men to JPMorgan hack, as well as other incidents

Email a friend

To

From

Thank you

Your message has been sent.

Sorry

There was an error emailing this page.

Preet Bharara, U.S. Attorney for the Southern District of New York, speaks next to a chart during a news conference New York November 10, 2015. U.S. prosecutors on Tuesday unveiled criminal charges accusing three men of helping run a sprawling series of hacking and fraud schemes, including a huge 2014 attack against JPMorgan Chase & Co, that generated hundreds of millions of dollars of illegal profit.

On Tuesday, Manhattan US Attorney Preet Bharara's office unsealed an indictment against three individuals charged with hacking several financial institutions, financial news publishers, and other companies.

In court documents shared with CSO Online, the prosecutors say that between 2012 and 2015, the three pulled off "the largest theft of customer data from a U.S. financial institution in history" by stealing the personal information of more than 100 million people.

The three men were first named earlier this year in an indictment related to stock and trading fraud. In addition to JPMorgan, the group targeted eleven other companies, though the twenty-three count indictment doesn't name the victims.

The indictment overviews how the some of the attacks were conducted, which included social engineering and exploitation of the Heartbleed vulnerability against "one of the world's largest financial services corporations" based in Boston, Massachusetts.

Using a mix of legitimate access provided to customers by the victims, the indictment names Shalon as the core criminal hacker of the group. Court documents say he was responsible for probing the targeted networks vulnerabilities and installing malware to gain additional access.

Data taken from one victim would be used in attacks against the other victims, including securities market manipulation. Later, the indictment says the group considered targeting email accounts owned by top executives and power traders for insider information, because "they have some interesting info in their mail."

The group leveraged servers in Egypt, the Czech Republic, South Africa, and Brazil to run their financial attacks and serve as a clearinghouse for their stolen data.

Based on the charges, each of the three men indicted will face decades behind bars if convicted. In a related case, a separate indictment was unsealed against Anthony Murgio on Tuesday, who is also linked to the JPMorgan hack.

The Manhattan US Attorney is expected to release additional details later this afternoon.

This story, "Three indicted in JPMorgan hacking case" was originally published by
CSO.

Steve Ragan is senior staff writer at CSO. Prior to joining the journalism world in 2005, Steve spent 15 years as a freelance IT contractor focused on infrastructure management and security.